Privacy Policy

The Controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

Jonas Bergert Albert-Roßhaupter-Straße 32 81369 München Germany

E-mail: kontakt@meldenapp.de Website: https://meldenapp.de

A data protection officer is not required by law and has not been appointed. If you have any questions regarding data protection, please contact the e-mail address stated above.

MeldenApp is a platform that enables citizens to report problems and issues in public spaces (e.g. potholes, defective street lights, illegal fly-tipping) to the responsible authorities. The service is available as a web application and as a mobile app (iOS and Android).

In the course of providing this service, we process personal data of our users. This privacy policy provides you with comprehensive information about the nature, scope and purpose of data processing, as well as your rights as a data subject.

The processing of personal data always takes place on the basis of a statutory legal ground. The following legal bases apply to the individual processing operations:

When registering a user account, we collect and process the following data:

• Name
• E-mail address
• Password (stored in encrypted form, not visible to us)
• Profile picture (optional)
• Time of registration

To manage your session, we additionally store:

• Session token (to identify your active session)
• IP address (to protect against misuse)
• User agent (browser and device information)
• Session expiry time

To protect against misuse, we employ rate limiting: a maximum of 5 login attempts per minute and a maximum of 3 password resets per minute.

For e-mail verification, password reset and account deletion, time-limited verification tokens are created that automatically expire after a set period.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Retention period: Until deletion of the user account. Session data is automatically deleted upon expiry of the session.

The core function of our service is the receipt and forwarding of citizens' reports. In this context, we process the following data:

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — the receipt and forwarding of reports is the core purpose of the service). For anonymous reports, additionally Art. 6(1)(a) GDPR (consent).

Retention period: Reports are retained for a maximum of 3 years after completion (status «resolved» or «closed») and are then automatically deleted.

To document problems, you may upload photos with your report. In doing so, we process:

• The uploaded image file (maximum 10 MB, formats: JPEG, PNG, WebP, HEIC)
• Original file name
• MIME type and file size

Photos are stored on our server in Germany (see section «Hosting»). Uploaded photos may be shared with the following recipients:

• With the responsible authority when your report is forwarded
• With the AI service OpenRouter for automated image analysis (see section «AI Processing»)

Please note: Photos may inadvertently contain personal data of third parties (e.g. individuals, vehicle registration plates). Please ensure that you do not capture any unnecessary personal data of third parties in your photos.

Legal basis: Art. 6(1)(b) GDPR. Retention period: Photos are deleted together with the associated report.

For sending e-mails, we use the service Brevo (formerly Sendinblue) of Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Brevo is an EU-based e-mail service provider with whom a data processing agreement (DPA) has been concluded pursuant to Art. 28 GDPR.

The following types of e-mail are sent via Brevo:

• E-mail verification upon registration
• Password reset
• Confirmation of account deletion
• Forwarding of reports to responsible authorities (including report details and photos)
• Approval requests to case handlers
• Notifications of responses from authorities
• Notifications of new authority registrations

To ensure reliable delivery, we log the delivery status of each e-mail (sent, delivered, opened, bounce, spam report). This data is provided by Brevo via webhooks.

In addition, we process incoming e-mail replies from authorities via the domain reply.meldenapp.de. In this context, the sender's e-mail address, sender name, subject and message body are stored.

Sender address: noreply@meldenapp.de. Legal basis: Art. 6(1)(b) GDPR (transactional e-mails in the context of service provision) and Art. 6(1)(f) GDPR (legitimate interest in delivery monitoring).

Further information: https://www.brevo.com/de/legal/privacypolicy/

To improve our service, we use artificial intelligence via the provider OpenRouter Inc. (USA). OpenRouter facilitates access to various AI models. We use AI for two purposes:

Important: No personal data such as name, e-mail address or telephone number is transmitted to OpenRouter. The transmission is limited to report content and location data.

As OpenRouter is based in the USA, a transfer to a third country takes place. The transfer is carried out on the basis of standard contractual clauses (Art. 46(2)(c) GDPR) and/or the EU–US Data Privacy Framework, insofar as the respective sub-processor is certified.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in automated categorisation and authority assignment to improve service quality).

We use PostHog (PostHog Inc., USA) to analyse the usage of our web and mobile application. PostHog is operated on the EU instance (eu.i.posthog.com), so that your data is processed and stored within the European Union.

The following data is collected:

• Page views and time spent on page (Web)
• Screen views and app lifecycle events (Mobile)
• User identification for logged-in users (user ID, e-mail, name)
• Custom events: progress through the report form, AI suggestions, successful report submission (including category, number of photos, anonymity status)
• Device information and environment (development/production)

Upon logout, the PostHog identity is reset so that subsequent activity is no longer linked to your user account.

PostHog sets cookies to recognise returning visitors. A data processing agreement has been concluded with PostHog.

Legal basis: Art. 6(1)(a) GDPR (consent). Further information: https://posthog.com/privacy

To determine the address from your GPS coordinates (reverse geocoding) and for address search, we use the Nominatim service of the OpenStreetMap Foundation (OSMF), 132 Maney Hill Road, Sutton Coldfield, West Midlands, B72 1JU, United Kingdom.

Only location coordinates or search terms are transmitted to Nominatim — no personal data such as name or e-mail address. Nominatim does not set cookies.

In the mobile app, you will be asked for permission to access your device's location. You may revoke this permission at any time in your device settings. Alternatively, you may select the location manually on the map.

Legal basis: Art. 6(1)(b) GDPR (required to identify the location of a report). Further information: https://osmfoundation.org/wiki/Privacy_Policy

Legal basis: Art. 6(1)(b) GDPR (required for map display as part of service provision).

In the mobile app, we offer push notifications to inform you about status changes to your reports. For this purpose, we use the service Expo (Expo Inc., USA).

The following data is processed in this context:

• Device push token (device-specific identifier)
• Platform (iOS, Android or Web)
• Notification content (status change, tracking ID)

You may disable push notifications at any time in your device settings. The transfer of data to the USA is carried out on the basis of standard contractual clauses (Art. 46(2)(c) GDPR).

Legal basis: Art. 6(1)(b) GDPR (service function actively enabled by the user).

Our web application uses cookies. Cookies are small text files stored on your end device. We use the following cookies:

In the mobile app, session data is stored in the secure device storage (Secure Store). Local data (e.g. cached report drafts) is stored in the device's Async Storage.

You may prevent the storage of cookies by adjusting the appropriate settings in your browser. Please note, however, that in this case you may not be able to use all functions of our web application.

Our application is hosted on a server of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The server location is in Germany. All data is stored and processed exclusively on servers in Germany.

The database (PostgreSQL) is located on the same server. Uploaded files are stored in the server's local file system. No external Content Delivery Network (CDN) is used.

Further information about the hosting provider: https://www.hetzner.com/de/legal/privacy-policy/

Under the General Data Protection Regulation, you have the following rights:

To exercise your rights, please contact: kontakt@meldenapp.de

We use artificial intelligence to generate suggestions for the categorisation of reports and the assignment of responsible authorities (see section «AI-Assisted Processing»).

This AI processing generates solely suggestions that can be reviewed and modified by you as a user or by our case handlers. No solely automated decision-making takes place that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).

We reserve the right to amend this privacy policy in order to adapt it to changes in the legal position or changes to the service. The current version can always be found on this page.

In the event of material changes that affect your rights, we will notify you separately. The current version number and the date of the last update can be found at the beginning and end of this privacy policy.